Closed Bug 430814 Opened 14 years ago Closed 14 years ago

Crash [@ nsStyleContext::GetStyleDisplay] while trying to print


(Core :: Layout: Tables, defect)

Not set





(Reporter: martijn.martijn, Assigned: mats)


(Keywords: crash, testcase, verified1.8.1.15, Whiteboard: [sg:critical?])

Crash Data


(2 files)

See testcase, when clicking on the print button and then printing something,
current trunk builds of Mozilla crash.
0  	xul.dll  	nsIFrame::GetStyleDisplay  	 nsStyleStructList.h:95
1 	xul.dll 	nsCSSRendering::PaintBackgroundWithSC 	mozilla/layout/base/nsCSSRendering.cpp:3448
2 	xul.dll 	TableBackgroundPainter::PaintCell 	mozilla/layout/tables/nsTablePainter.cpp:634
3 	xul.dll 	TableBackgroundPainter::PaintRow 	mozilla/layout/tables/nsTablePainter.cpp:590
4 	xul.dll 	TableBackgroundPainter::PaintRowGroup 	mozilla/layout/tables/nsTablePainter.cpp:530
5 	xul.dll 	TableBackgroundPainter::PaintTable 	mozilla/layout/tables/nsTablePainter.cpp:446
6 	xul.dll 	nsTableFrame::PaintTableBorderBackground 	mozilla/layout/tables/nsTableFrame.cpp:1469
7 	xul.dll 	nsDisplayTableBorderBackground::Paint 	mozilla/layout/tables/nsTableFrame.cpp:1318
8 	xul.dll 	nsDisplayList::Paint 	mozilla/layout/base/nsDisplayList.cpp:296
9 	xul.dll 	nsLayoutUtils::PaintFrame 	mozilla/layout/base/nsLayoutUtils.cpp:988
10 	xul.dll 	nsPageFrame::PaintPageContent 	mozilla/layout/generic/nsPageFrame.cpp:562
11 	xul.dll 	PaintPageContent 	mozilla/layout/generic/nsPageFrame.cpp:403
12 	xul.dll 	nsDisplayGeneric::Paint 	mozilla/layout/base/nsDisplayList.h:862
13 	xul.dll 	nsDisplayList::Paint 	mozilla/layout/base/nsDisplayList.cpp:296
14 	xul.dll 	nsLayoutUtils::PaintFrame 	mozilla/layout/base/nsLayoutUtils.cpp:988
15 	xul.dll 	nsSimplePageSequenceFrame::PrintNextPage 	mozilla/layout/generic/nsSimplePageSequence.cpp:647
16 	xul.dll 	nsPrintEngine::PrintPage 	mozilla/layout/printing/nsPrintEngine.cpp:2368
17 	xul.dll 	nsPagePrintTimer::Notify 	mozilla/layout/printing/nsPagePrintTimer.cpp:90
18 	xul.dll 	nsTimerImpl::Fire 	mozilla/xpcom/threads/nsTimerImpl.cpp:403
19 	xul.dll 	nsTimerEvent::Run 	mozilla/xpcom/threads/nsTimerImpl.cpp:490
20 	xul.dll 	nsThread::ProcessNextEvent 	mozilla/xpcom/threads/nsThread.cpp:510
21 	xul.dll 	nsBaseAppShell::Run 	mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:170
22 	nspr4.dll 	PR_GetEnv 	
23 	firefox.exe 	wmain 	mozilla/toolkit/xre/nsWindowsWMain.cpp:87
24 	firefox.exe 	firefox.exe@0x217f 	
25 	kernel32.dll 	BaseProcessStart
Attached file testcase
OS: Windows XP → All
Whiteboard: [sg:critical?]
Attached patch wallpaperSplinter Review
Wallpaper, until we find the real bug...
This file already have this wallpaper in another place:
Attachment #317773 - Flags: review?(bernd_mozilla)
Group: security
Comment on attachment 317773 [details] [diff] [review]

The cited url was not wallpapering over a bug but rather defensive programming. I had a good share of crash bugs (one of them being a top crasher) after fantasai's paint patch landed, so the idea was to have a rather drastic assertion message that will ring all bells instead of having a exploitable array boundary violation.

I will do the core fix and then check if ff2 is also vulnerable.
Attachment #317773 - Flags: review?(bernd_mozilla) → review+
Attachment #317773 - Flags: superreview?(roc)
Attachment #317773 - Flags: superreview?(roc) → superreview+
Attachment #317773 - Flags: approval1.9?
Comment on attachment 317773 [details] [diff] [review]

a=mconnor on behalf of 1.9 drivers
Attachment #317773 - Flags: approval1.9? → approval1.9+
mozilla/layout/tables/nsTablePainter.cpp 	3.26 

Filed bug 431087 on fixing the real bug.

Assignee: nobody → mats.palmgren
Target Milestone: --- → mozilla1.9
Closed: 14 years ago
Resolution: --- → FIXED
Comment on attachment 317773 [details] [diff] [review]

The testcase does not crash on XP/Linux/OSX, but the code looks
the same on branch.  The patch is trivial so it might be worth taking
just in case...
Attachment #317773 - Flags: approval1.8.1.15?
Flags: in-testsuite?
> he patch is trivial so it might be worth taking just in case...
Exactly this should go onto branch, there is no need for gambling there.
Comment on attachment 317773 [details] [diff] [review]

approved for, a=dveditz for release-drivers
Attachment #317773 - Flags: approval1.8.1.15? → approval1.8.1.15+
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9pre) Gecko/2008042806 Minefield/3.0pre. No crash with the testcase.
Checked in on MOZILLA_1_8_BRANCH:
Keywords: fixed1.8.1.15
Mats can we change the assert to something less draconian? Like a warning for a "nsTablePainter error" I will know what it means. This bug should stay closed till bug 424377 is fixed.
Verified that the code got checked in. Also verified no crash in and (as said before).
Group: security
Crash Signature: [@ nsStyleContext::GetStyleDisplay]
You need to log in before you can comment on or make changes to this bug.